Microsoft has announced it will establish a set of "transparency centres" around the world, at which government clients can rifle through its source code to satisfy themselves it contains no back doors.
Announced last week at the Munich Security Conference, Microsoft's veep for security Matt Thomlinson said the centres “...will …

Great, so that means they're going to issue cryptographically signed releases as well, right?

Ah, hang on, no, they aren't. So for a limited number of government customers, Microsoft are talking about allowing them to view selected parts of their source code, and they are then expecting them to take it on faith that it is this same clean code that is compiled, packaged and released. Right...

Re: Great, so that means they're going to issue cryptographically signed releases as well, right?

This is what happens when a government agency cares more about attacking the rest of the world (including its own citizens) instead of securing and protecting its own nation's citizens and their IT infrastructure. Even if Microsoft has done nothing wrong with all the secret letters and courts and such its very hard to prove it. Still I am not shedding a tear. The only thing that ever gets anything changed in government in my homeland of The United States of Corporate Whores is when some Megacorp starts losing money.

Re: Great, so that means they're going to issue cryptographically signed releases as well, right?

I do not understand what is new here. This has been available for a very long time.

In fact, this was one of the key factors involved in Biligatus of the Borg successfully trading horses with Chinese to stop the government push behind Red Flag Linux a while back and go for WinXP on the desktop. The threat of MSFT losing a potential several million of desktops promptly got them access to the source. That was nearly 10 years ago so it is rather not surprising they can do Auroras now. As one of the other posters noted "It is all about the money, stupid".

However, if memory serves me right :

1. MSFT source code access program was applicable only to the OS, not ot Office and other software. So you audit a version of an OS which you never install and which you cannot build into a working binary as you are not in posession of the built tools and packaging tools for it. After that you install on top something that is big enough to contain a 3D flight simulator as an Easter egg and for some strange reason you implicitly trust that it does not contain any backdoors.

2. The existing MSFT source code access program used to apply only to some of the source. Apparently there are bits and bobs in the MSFT OS which include 3rd party code for which Microsoft does not have the right to allow any 3rd party to see the source. The source for, surprise, surprise crypto accelerator drivers and some of the crypto libraries used to be unavailable under that program. Cough... Cough....

Re: Great, so that means they're going to issue cryptographically signed releases as well, right?

The real tragedy is that Microsoft think that this will wash with enough people to give a try in the first place. Microsoft must feel total contempt for their customers to even try hoodwinking them with this piece of security theatre.

Re: Great, so that means they're going to issue cryptographically signed releases as well, right?

"crypto accelerator drivers and some of the crypto libraries used to be unavailable under that program."

For real? That alone should be grounds to cancel the order unless the applications have no current or future need for encryption, or the manufacturer's crypto is to be disabled and replaced by something for which the source is available and can be built on the machine it runs on.

Re: Great, so that means they're going to issue cryptographically signed releases as well, right?

Pretend there is a proper code review

Thousands of programmers working for months with tools they can trust declaring parts of one version of an enormous code base do not contain back doors. The cost would be enormous. In return, tax payers get the opportunity to have the government rent installs of software that can update itself over the internet until it bears no relation to the code that was reviewed.

If the money were spent reviewing free software instead, the result could be installed for free on any number of computers. It could be maintained without having to pay monopoly lock-in prices. The EU could distribute signed copies of guaranteed a spyware safe operating system with built in politically correct filtering. In fact they could base it on work that has already been tested in the field: Red Star OS.

Re: Pretend there is a proper code review

At the risk of pointing out the obvious, but extremely unpopular - There have been, to my mind, three major Linux screw ups recently, which should have been seen ages ago. The 20 odd year privilege escalation bug in X.11, the Debian random number generator issue and the near total loss of the KDE codebase because as far as I can tell all the developers thought that replication was the same as backup.

This brings up two issues really, one is that the argument that thousands upon thousands of eyes make sure there are no bugs and that those are fixed early, which just isn't the case without systemsed code review. The other is that it doesn't matter how many eyes you have, if they are looking in the wrong direction or don't understand what they're seeing, they are as near useless as makes no odds.

Linux is a fantastic thing, but let's not pretend it's a panacea, thinking it is lulls one into a false sense of security, which in itself is likely to make any system one runs on Linux less secure. Let us also no decry the legitimate efforts towards transparency of companies which make closed source software as this will basically prevent the adoption of open source. No-one in industry or government is going to want to use software championed by people who keep telling them in a shrill cry that they're morons for using the software which they currently operate and demonstrably works.

No panacea

You say you expect to be unpopular, but you have no downvotes as I write, and you won't get one from me. I think that many commenters are just talking about GNU/Linux [1] because the article talks about Microsoft's Transparency Center(s), and its so obvious that they, or rather it, won't get us within a country mile of the transparency that already exists in FOSS. Your points about many eyes making all bugs shallow is well taken, and your examples were indeed notable failures. However, they are three notable failures which were transparent. Stuxnet exploited four zero-day flaws in WindowsTM, as I recall, and all the closed-source vendors (hello, Oracle!) issue critical bug fixes with about the same frequency that I see them turning up in my Linux/GNU/KDE stack.

Thompson is whistling in the dark; as others have said above, if customers can't verify the build from source to binary, and they can't control the nature and content of updates, then they have to suck it up and trust their vendor.

[1] I'm being pedantic, because only one of your examples was actually a flaw in Linux per se :)

Re: No panacea

I said it was unpopular, because I've said the same thing before to a billion downvotes there are a number of commentors here who interpret any criticism of Linux as a personal attack. I don't actually care about downvotes, but I do care that people bother to read what I say, rather than knee-jerk from the point of view of MS=Shite, Linux=The best thing in the world. Particularly because having a false sense of security engendered by believing that one is really smart because one is running the most secure OS is what leads to sloppy security. A few years ago a friend of mine was lecturing me about how Linux was far more secure than Windows. Of the two of us, one had discovered that his workstation had been rooted and was being used to serve porn. It wasn't me. Of course this was down to super-smart hackers, rather than sloppy user security.

Stuxnet may well have used zero day vulnerabilities in Windows, but we have literally no way of knowing if there were any software or hackers actively using the zero day flaws I mentioned above. That we know about stuxnet is down to an accident which put it into the wild. I don't know of any problems therfore there aren't any is a mindset which leads to sloppy security.

Also, if you believe that Linux users can verify the build on their machine, you have a far higher belief in the ability of the users than I would think is warranted. You also trust that the sites supplying the source sode are legitimate and that the compiler tools are legitimate. You furthermore rely upon the thousands of eyes, knowing what they're seeing and looking in the right direction.

It's all down to trust. Personally, I trust Red Hat, I trust CentOS, but I also trust Microsoft, Apple, IBM and HP.

Hey, microsoft, I have a serious question!

Can I use my own compiler, hand crafted in assembler over the last couple dozen years, fully capable of compiling Slackware-current from scratch, on your source? Why do I ask? See: ken's "Reflections On Trusting Trust":

http://cm.bell-labs.com/who/ken/trust.html

Somehow, I suspect the answer is "no, absolutely not! You must use our compiler!".

Bottom line? I see no reason to trust redmond (or cupertino, or various .govs for that matter) when it comes to computer/network security.

Re: Hey, microsoft, I have a serious question!

Re: Hey, microsoft, I have a serious question!

Doing this right would involve something like (a) making the Microsoft C compiler deterministic --- so the same source always produces the same binary, no matter who compiles it; (b) building the Microsoft C compiler with a known good bootstrap compiler --- e.g. gcc; (c) comparing the windows build you get at the end of this with what Redmond distributes.

In the Windows security push a while back, they did make sure they actually had the source code to everything that goes on to the Windows install DVD, so at least you no longer have the problem of "hey, we lost the source to that binary, so you'll just have to trust it".

The above sketch is clearly not the whole picture --- you'ld also have to look pretty closely at their equivalent of Makefiles (a program called build, if I recall correctly) to make sure there was no funny business with object files being copied from somewhere rather than recompiled when you build the O/S.

And this still wouldn't help about deliberate bugs such as buffer overflows being left in the code.

@Lost all faith (was: Re: Hey, microsoft, I have a serious question!)

I signed an NDA with microsoft nearly thirty years ago & provided many bug reports on pilot/beta code because I thought (in my ignorant youth) that they were actually trying to do something useful.

I never profited from said bug reports. Rather, microsoft made a profit from my efforts. I (as a long-term MSDN subscriber) had to actually pay for the final product after win3.1.

Contrary to your theory, microsoft continues to attempt to lure me back into the fold ... I get email every time they roll a major release. This despite repeatedly asking to be removed from the aging email list. (Yes, microsoft is spamming me!)

I'll stick to FOSS, thank you very much. Seems cleaner, somehow.

I'm not anti-microsoft. I'm pro-FOSS. I doubt you grok the difference.

Good move, MS

You get to debug our code then pay us to use it. And, as others have pointed out, there's no guarantee that the binaries you're getting are, in any way, related to the source code which you reviewed.

I'm with the other commentards here: if governments are going to spend money on reviewing code, spend it on open source so all of the code down to the build tools can be checked, and so they can build the binaries to be certain that they came from the "trusted" source code.

Normally I'd say something along the lines of "finally something I like to hear from MS after years of hate", but there is too many things that can be "the catch" to ruin it with and I'm absolutely sure Microsoft will ruin it.

why the fook...

Even bother with Microsoft. Rid yourself of this hypocritical, scourge of IT and use something that is open from the start. I will say it again, once the tech world is rid of Microsoft the better we will all be. They made computers political now the politics are biting their sorry arses

Microsoft gimmick exercise

This move by Microsoft is purely a "Smoke and Mirrors" gimmick.

There is "no way" for any of the governments attending this farce meeting to know with any certainty that what Microsoft is showing them is exactly what the company is shipping, precisely because these nor any government, business, organization or individual has access to the Microsoft Windows "Source Code", which could then be secured and compiled by the customer.

Such a "fantasy" prospect would still not guarantee any substantive level of "rock solid reliability and high level security" from Microsoft Windows however, since those technical characteristics have never been hallmarks of Windows OS.

ahh forgot

Even if the code would be free of any obvious backdoors...

There's still the "bugdoor", a plausible bug which leads, for example, to remote code execution, but simply isn't fixed. One prominent example is ActiveX. If you can fake a certificate, which the NSA surely can do, you can get code running with user permissions.